Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get columns associated with max value of sp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nowakgft
Engager
07-26-2022
05:23 AM
Hello everyone,
I have following type of data to analyze:
| timestamp | endpoint | executionTime |
| 08:12 | /products | 0.3 |
| 08:20 | /products | 0.8 |
| 08:25 | /users | 0.5 |
| 08:41 | /users | 1.0 |
| 08:50 | /products | 0.7 |
I would like to display information about slowest endpoint in each 30 minute window, in this example it would look like:
| timeWindow | timestamp | endpoint | maxExecutionTime |
| 08:00 | 08:20 | /products | 0.8 |
| 08:30 | 08:41 | /users | 1 |
It's fairly easy to gather data on maximum execution time only and so I created such a query:
index = myindex | timechart span=30m max(executionTime) as maxExecutionTime
but now I have no idea how to attach endpoint called and actual timestamp. How should I do it?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-26-2022
05:56 AM
Give this a try
index = myindex | bucket span=30m _time as timeWindow | eventstats max(executionTime) as max maxExecutionTime by endpoint
| where executionTime=MaxExecutionTime
| table timeWindow _time endpoint maxExecutionTime
| convert ctime(timeWindow)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-26-2022
05:56 AM
Give this a try
index = myindex | bucket span=30m _time as timeWindow | eventstats max(executionTime) as max maxExecutionTime by endpoint
| where executionTime=MaxExecutionTime
| table timeWindow _time endpoint maxExecutionTime
| convert ctime(timeWindow)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nowakgft
Engager
07-26-2022
07:28 AM
I gave it a try, changed it in two places (corrected typo in max maxExecutionTime and changed by endpoint to by timeWindow).
index = myindex | bucket span=30m _time as timeWindow | eventstats max(executionTime) as maxExecutionTime by timeWindow
| where executionTime=MaxExecutionTime
| table timeWindow _time endpoint maxExecutionTime
| convert ctime(timeWindow)Now works like a charm 🙂 Thank you!
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
